Snort mailing list archives
Re: snort install info hyperlink
From: Peter Bates <peter.bates () ucl ac uk>
Date: Tue, 16 Oct 2012 09:03:50 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all On 16/10/2012 07:50, kevin zhang wrote:
hello all OS:CENTOS 6.3 X64 SNORT 2.9.3.1 I run snort in IDS mode ,,there have a little WARNING
WARNING: flowbits key 'file.autodesk_max' is set but not ever checked. WARNING: flowbits key 'file.crx' is set but not ever checked.
This is mostly just a WARNING that can be safely ignored - the rule will still trigger (unless it has been set to noalert in the rule itself).
WARNING: flowbits key 'backdoor.y3krat_15.client.response' is checked but not ever set. WARNING: flowbits key 'dce.spoolss.4.call' is checked but not ever set.
These are slightly different - these rules will never fire because they're looking for flowbits that, as the message says, are never set. I'd recommend you use PulledPork to manage your rules as this handles the flowbit resolution for you - however you do still see the first type (set but not ever checked) but you shouldn't see the second when using PP. - -- Peter Bates Senior Information Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQfRTmAAoJELhVoVpEMS6RKv4IAKpG9rrr8g+04KrYQeRpxtdk spKKeO6j02TnA1bmrsVkVqO92iOR+c/cUpDzmFXrt3ukQzFZ+yN6UkOI9bE9KvCf ghLOkJ648AuHwydedb5PP/OQ8ysGbgVTrTA5CRu9LzxvO1SpsMwN+5thFFVphTym Z3+GStLTpHYfCQO8G+rQli71fcZHwlHU8bLlCDC2GzRj3QJqyFSVLD6d8qrZSS3P Kv2LOfnUh7plb8kLv3OZAEyu9y6AFsBBZbjjCpaO59rI8Nk70QiRSEvQc6EWlaLI YpXSIv4r0MjI+CJnwSOZG6AYfykenIJFWdbMthmH2b2eurJsGSbxdLsiS7c+4PU= =1kAy -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort install info hyperlink kevin zhang (Oct 15)
- Re: snort install info hyperlink Peter Bates (Oct 16)
- Correllation resources Justin (Oct 16)
- Re: Correllation resources Joel Esler (Oct 16)